feat: Phase 3E plugin marketplace (v1 CLI)#14
Merged
Conversation
…or handling Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Mount Docker socket into API container for docker exec access - Install Docker CLI in API image - Join mcp-security-hub_mcp-network as external network - API can now exec into nmap-mcp, nuclei-mcp, ffuf-mcp etc. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add shared workspace bind mount (/workspace) in compose for file targets - Add OPENTOOLS_WORKSPACE env var for API container - Add UserUpdate schema + get_users_router for /api/v1/auth/me endpoint - Fix CypherEditor EditorState.readOnly.reconfigure TypeScript error Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…persistence Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Comprehensive design for a plugin marketplace covering: - Unified plugin bundles (skills + recipes + container definitions) - Git-based registry with sigstore-signed catalog - Transactional install with version-directory model and atomic rollback - Defense-in-depth sandboxing: per-plugin network isolation, seccomp profiles, egress control, mount blocklist, recipe command parsing - 22 CLI commands covering full plugin lifecycle - Team workflows: lockfiles, plugin sets, portable archives - Multi-registry support for private/org-internal plugins v1 scope: CLI-only. v1.1 deferred: web marketplace UI. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ShellExecutor handles docker_exec tasks since commands already include 'docker exec <container>'. Added done_callback on the background task to surface errors in logs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Card-based layout matching app design system - DataTable for scan history with status tags, tool badges, date formatting - Expandable task grid with status icons (spinner for running, check for done) - PrimeVue Select, InputText, InputNumber, Button, Tag, Message components - File upload support for binary/APK/source targets Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Containers are started on-demand when a scan needs them and stopped after the scan completes. Checks if container exists and is already running before starting. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Backend: poll container Running state up to 30s instead of naive 2s sleep. Logs when all containers are ready. Frontend: auto-poll scan list + tasks every 3s while scan is active. Button shows "Starting containers & scan..." during creation. Polling stops when scan reaches terminal state. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add JSONL parser for nuclei/httpx output (one JSON per line) - Add text fallback parser for tools without structured output - Parse cascade: dedicated parser → JSONL → generic_json → text - Tasks endpoint overlays live engine state during active scans so UI shows real-time status changes per task Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…xec wrapping for custom commands
20 TDD tasks covering the full v1 scope: - packages/plugin-core library (15 modules) - 22 CLI commands under opentools plugin - Loader integration + container status integration - 7 parallel batches identified for agent-driven execution Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…xtures Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…dels Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ction Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…tection Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…c promotion Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implements Tasks 15-18: plugin_cli.py with all 22 commands (list, search, info, install, uninstall, update, up, down, logs, exec, pull, setup, verify, init, link, unlink, validate, freeze, sync, export, import, rollback, prune), registered as plugin_app in cli.py, with full test coverage (10 tests passing). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ration Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
packages/plugin-core/package (14 modules) — Pydantic v2 manifest models, SQLite plugin index, content-addressable cache, sandbox policy (mount blocklist, capability checks, org overrides, seccomp mapping), recipe command enforcement (shlex parsing), compose generator with per-plugin network isolation, sigstore verification, registry client with ETag caching, dependency resolver with cycle/conflict detection, transactional installer with atomic.activepointer rollback, and version pruningopentools plugin— search, info, install, uninstall, list, update, up, down, logs, exec, pull, setup, verify, init, link, unlink, validate, freeze, sync, export, import, rollback, prune~/.opentools/plugins/for marketplace plugins; container status shows plugin containers alongside built-in onesDesign spec:
docs/superpowers/specs/2026-04-15-phase3e-plugin-marketplace-design.mdImplementation plan:
docs/superpowers/plans/2026-04-15-phase3e-plugin-marketplace.mdTest plan
opentools plugin list,opentools plugin init my-test,opentools plugin validate .opentools plugin searchwith a catalog.json in~/.opentools/registry-cache/🤖 Generated with Claude Code